One of the newer Microsoft 365 capabilities introduced at the Ignite conference this week are ‘Regulatory Record Labels’ – a new type of label which presents an interesting option for records managers to consider.
I think it’s probably best to think of Regulatory Record Labels as a new variant of the existing Retention Labels. For the most part they look and work in a very similar, if significantly more compliant way.
We now have three different flavours of Retention Label:
Retention Labels:
Anyone who can update an item can apply, change and remove without restriction
When applied both content and metadata (aka site columns) continue to be mutable
Record Labels:
Anyone who can update an item can apply these labels
Only an administrator can change or remove
When applied to a list item metadata is immutable
When applied to a file the content itself is made immutable (however you can still make changes to metadata)
Regulatory Record Labels:
Anyone who can update an item can apply these labels
Nobody can change or remove them
When applied to any item or file both content and metadata become immutable
So Regulatory Record Labels can be used in situations where you absolutely need to ensure that the record isn’t altered. They really aren’t for the faint-hearted – once you apply one there is no going back – the record and its metadata are permanently locked.
There are a few other important changes in the way that Regulatory Record Labels differ from other variants:
Restrict movement – users will be able to move regulatory records between folders in the same SharePoint Library, but not between Libraries or Sites.
Prevent versioning – I’m not sure how familiar many will be with the concept of record versioning, but it essentially allows users to easily update files protected with “Record Labels”, by creating a new version of the record, while ensuring that the previous version remains immutable. While Record Labels continue to provide this feature, Regulatory Record Labels (being more restrictive) do not allow record versioning.
Prevent reductions of retention durations – When editing the settings of a Regulatory Record Label in the Compliance Center, Administrators will find that they cannot reduce the length of any retention period.
Prevent the restoration of SharePoint sites – I’ll roll up my sleeves and have a play with this in current weeks – but if I understand it correctly, a deleted SharePoint site cannot be restored if (I assume) it contains any regulatory records.
Opt-In – Unlike most features in Microsoft 365, Regulatory Record Labels are disabled by default. In fact, you will need to run PowerShell to turn them on. The reason for this is simple – Microsoft only want people who understand them to have access to them; the risk of accidentally locking important content forever is far too great!
Alerts – Given that once applied they can never be removed, Microsoft has wisely decided to provide additional alerts to make sure that both administrators and users are aware of the potential risks – whether of course anyone actually reads these warnings is a completely different question.
Manual application only – A few weeks’ ago some of you might have spotted the example of what happened at KPMG when retention capabilities were used without fully considering the ramifications – so given the potential for permanently making content immutable, it is clear to see why Microsoft has chosen to prevent any automated approaches to applying Regulatory Record Labels (for now at least!).
Practical application
Obviously having enhanced Retention options can only be great thing. I can easily imagine those organisations who need to reach some of the highest levels of compliance1 will be delighted to see the introduction of these new labels.
On a practical basis, I think Regulatory Record Labels need to be handled with caution. If you decide to use them, you’ll want to make sure that you only push them out to very specific sites, groups and inboxes. You’ll need to ensure everyone with the ability to modify content in any of the areas of your tenancy with Regulatory Record Labels fully understands exactly what they do. Practically, this probably means only even pushing them to locked down archival areas that are managed by a handful of trained and trusted users.
In reality, Regulatory Record Labels will likely prove to be superb tools that will only ever be used by a small number of organisations and only in very controlled, specific areas. Listen to Roberto Yglesias in the video below to find out more!
Footnote
1 Regulatory Record Labels have been independently assessed to meet CFTC Rule 1.31 (c)-(d), FINRA Rule 4511, & SEC Rule 17a-4